Module Name: src
Committed By: riastradh
Date: Sun Mar 13 17:52:46 UTC 2022
Modified Files:
src/sys/kern: subr_time.c
Log Message:
kern: Fix fencepost error in ts2timo overflow checks.
Triggered by
clock_settime({.tv_sec=0, .tv_nsec=0})
clock_nanosleep({.tv_sec=LLONG_MIN, .tv_nsec=0})
so that, by the time we enter ts2timo (after a few nanoseconds have
passed), we end up with
tsd = {.tv_sec=0, .tv_nsec=nonzero}
ts = {.tv_sec=LLONG_MIN, .tv_nsec=0}
and the subtraction ts - tsd leads to a borrow from tv_sec.
Reported-by: syzbot+14818113e9d0b45bc...@syzkaller.appspotmail.com
To generate a diff of this commit:
cvs rdiff -u -r1.31 -r1.32 src/sys/kern/subr_time.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/subr_time.c
diff -u src/sys/kern/subr_time.c:1.31 src/sys/kern/subr_time.c:1.32
--- src/sys/kern/subr_time.c:1.31 Tue Sep 21 14:55:14 2021
+++ src/sys/kern/subr_time.c Sun Mar 13 17:52:45 2022
@@ -1,4 +1,4 @@
-/* $NetBSD: subr_time.c,v 1.31 2021/09/21 14:55:14 christos Exp $ */
+/* $NetBSD: subr_time.c,v 1.32 2022/03/13 17:52:45 riastradh Exp $ */
/*
* Copyright (c) 1982, 1986, 1989, 1993
@@ -33,7 +33,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: subr_time.c,v 1.31 2021/09/21 14:55:14 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: subr_time.c,v 1.32 2022/03/13 17:52:45 riastradh Exp $");
#include <sys/param.h>
#include <sys/kernel.h>
@@ -341,8 +341,13 @@ ts2timo(clockid_t clock_id, int flags, s
}
if ((flags & TIMER_ABSTIME) != 0) {
- if ((tsd.tv_sec > 0 && ts->tv_sec < LLONG_MIN + tsd.tv_sec) ||
- (tsd.tv_sec < 0 && ts->tv_sec > LLONG_MAX + tsd.tv_sec))
+ /*
+ * Add one to the bound to account for possible carry
+ * from tv_nsec in timespecsub.
+ */
+ if (tsd.tv_sec > 0 && ts->tv_sec < LLONG_MIN + tsd.tv_sec + 1)
+ return EINVAL;
+ if (tsd.tv_sec < 0 && ts->tv_sec > LLONG_MAX + tsd.tv_sec - 1)
return EINVAL;
timespecsub(ts, &tsd, ts);
}
